On Thu, Nov 23, 2006 at 01:03:00PM +0100, carlopmart wrote:
> We have several problems with ipsec connections for roadwarriors
> clients using x509 certificates. We use ipsec.conf to accomplish this
> configuration:
>
> ike passive proto tcp from 192.168.2.3 to { 129.31.0.0/16,
> 129.11.0.0/16, 129.61.0.0/16, 129.71.0.0/16 } port 5900 \
> quick auth hmac-sha1 enc 3des group modp1024
> ike passive proto tcp from 192.168.2.3 to { 129.31.0.0/16,
> 129.11.0.0/16, 129.61.0.0/16, 129.71.0.0/16 } port 3389 \
> quick auth hmac-sha1 enc 3des group modp1024
> ike passive esp from 192.168.0.3 to any main auth hmac-sha1 enc 3des \
> srcid firewall.ourdomain.com dstid [EMAIL PROTECTED]
>
> ike passive proto tcp from { 192.168.2.9, 192.168.2.10, 192.168.2.11 }
> to { 129.42.0.0/16, 192.168.156.0/24 } port 5900 \
> quick auth hmac-sha1 enc 3des group modp1024
> ike passive proto tcp from { 192.168.2.9, 192.168.2.10, 192.168.2.11 }
> to { 129.42.0.0/16, 192.168.156.0/24 } port 3389 \
> quick auth hmac-sha1 enc 3des group modp1024
> ike passive esp from 192.168.0.3 to any main auth hmac-sha1 enc 3des \
> srcid firewall.ourdomain.com dstid [EMAIL PROTECTED]
>
> Well, this configuration doesn't works. If user [EMAIL PROTECTED]
> connects to our lans, [EMAIL PROTECTED] (if he is connected) lost
> all connections.
>
> If we change third and sixth lines with:
>
> ike passive esp from 192.168.0.3 to any main auth hmac-sha1 enc 3des
> srcid firewall.ourdomain.com
>
> only one user can be authenticated. Somebody how can I resolve this
> problem?? ipsec.conf man pages doesn't helps .....
We have the following in /etc/ipsec.conf:
ike passive esp from 192.168.1.0/24 to any \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
srcid vpn.fqdn.com
With this, I can have multiple users behind a single NAT firewall
connect without anyone being dropped. This is with isakmpd on OpenBSD
4.0. We're using X.509 certificates as well.
--
albert chin ([EMAIL PROTECTED])
